HOWTO serve Gandi SSL certs in nginx

I’m a big fan of Gandi for domain hosting since they are very transparent about their operation, support the efforts of EFF and last but not least, are based in Paris. So today I transfered fak3r.com over to Gandi, and earned a free SSL cert for a year for doing so! Cool, since my old StartSSL cert expired, I needed to replace it, so this was nice timing. Now while Gandi’s documentation is very good, and I’ve done plenty of SSL setup before, I still hit a snag that I’ve hit before, so this time I wanted to record it so I wouldn’t have to look it up again next time.
The issue comes about because nginx doesn’t have a declaration for an intermediate, or chained cert file. So while Apache has the SSLCertificateChainFile directive, in nginx we have to concatenate it with the certificate file to have nginx recognize it. Here’s how you do it.
First we need a directory to hold the SSL certs, it’s really not important where, but I’ve always put mine in /etc/nginx/ssl/FQDN

mkdir -p /etc/nginx/ssl/fak3r.com

Then follow Gandi’s instructions on creating the SSL data they need to make your cert, then download it to that directory. Next we need to grab Gandi’s CA cert and put it in that directory too

Test that everything works, and then if so, restart nginx to pickup the changes

nginx -t
/etc/init.d/nginx restart

Great, now that I have you here, why don’t we cover some ‘BONUS’ material to make nginx serve SSL content a bit more securely. In your site configuration file, in your SSL section, besides the normal lines such as the location of the crt, key files and such, add some lines.